My server is under attack (I think)
Paul Schmehl
pschmehl_lists at tx.rr.com
Fri Aug 19 19:39:05 UTC 2011
--On August 19, 2011 11:01:21 AM -0400 Mark Moellering <mark at msen.com>
wrote:
> I keep seeing a flood of messages when I run dmesg -a that look like this:
>
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify
> hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed
>
> Is there anything I should be doing to make sure the server isn't
> compromised? It is a mail server running postfix / dovecot
> I have pf set up and am also running a program called sshguard.
> I am kind of at a loss. It looks like I am under attack but I don't know
> what to do about it. Any help is greatly appreciated
>
> Thanks in advance
As others have pointed out, this is routine probing by internet jerks. You
have several choices. You can restrict access to ssh to specific IPs or
netblocks. You can ignore it and chalk it up to being on the internet.
Or, if the people that have access to your server are sophisticated enough
that's it's not too much hassle explaining it, you can run ssh on some
other port.
I chose options 1 & 2 for a server I maintain. I'd prefer option 3, but I
don't want to have to explain it to the owners. They're not very tech
savvy.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
More information about the freebsd-questions
mailing list